Use the health check

Each health check item runs a separate search. The searches run sequentially. When one search finishes, the next one starts. After all searches have completed, the results are sorted by severity: Error, Warning, Info, Success, or N/A.

Click a severity level at the top of the results to see only results with that severity level. Click a row to see more information, including suggested actions.

To run only some of the checks, filter by tag or category before clicking Start. From the monitoring console, you can run health checks that have been created in any app installed on your monitoring console node. Use the app drop-down list to filter health checks by app context.

Exclude a check

You can disable a specific check to prevent it from running when you click Start:

Click Monitoring Console > Settings > Health Check Items.

Locate the check you wish to disable in the list.

Click Disable.

Reload Monitoring Console > Health Check.

You can also filter the checks by group, app, tag, and category at the top of the page before clicking Start.

Modify an existing check

You can modify an existing check. For example, to modify the warning threshold for the Excessive physical memory usage check from 90% to 80%:

Click Monitoring Console > Settings > Health Check Items.

In the Excessive physical memory usage row, click Edit.

Edit the Search and Description fields.

(Optional) Rename the health check item to reflect your modification.

Click Save.

The modifications are saved to your filesystem in $SPLUNK_HOME/etc/apps/splunk_monitoring_console/local/checklist.conf

Create a new health check

You can add a new health check item as follows:

Click Monitoring Console > Settings > Health Check Items.

Click New Health Check Item.

Fill in the title and ID fields.

(Optional) Choose an app context for this check. The default is monitoring console.

Continue filling in the fields. Be sure to include a severity level in your search (| eval severity_level). Without this, the search returns results as N/A. See About searches for guidance filling in the Search field.

(Optional) For Environments to exclude, select either Standalone or Distributed. Any other value in this field is ignored. See What can the monitoring console do? for information about standalone and distributed modes.

Click Save.

The modifications are saved to your filesystem in $SPLUNK_HOME/etc/apps/<app_name>/local/checklist.conf on *nix or %SPLUNK_HOME%\etc\apps\<app_name>\local\checklist.conf on Windows. If you do not specify an app context, the modifications are saved in the splunk_monitoring_console app directory.

Search results format

In standalone mode, the search string generates the final result. In distributed mode, this search generates one row per instance in the result table.

The search results must be in the following format.

instance

metric

severity_level

<instance name>

<metric number or string>

<level number>

Severity level names correspond to values as follows.

Severity level name

Severity level value

Error

3

Warning

2

Info

1

Success

0

N/A

-1

Add a drilldown to a search or dashboard

You can also include a drilldown to another search or to a dashboard, for example a monitoring console dashboard, in your health check results.

To include a monitoring console dashboard drilldown:

Choose an existing dashboard in the monitoring console that is relevant to the data you want to run a health check on. Choose a dashboard that has a drop-down list to choose an instance or machine.

Inspect the URL using the drop-down list to see which parts of the URL are needed to specify the instance you want. Look for &form.splunk_server=$instance$ toward the end of the URL.

Trim the URL to a URI that starts with /app/ and has a $ delimited variable name that is a column in the search results for your health check item. For example, /app/splunk_monitoring_console/distributed_search_instance?form.splunk_server=$search_head$

To include a search drilldown, find or create a search with a $ delimited variable in it. The variable must exist as a column name in the health check search results. For example, a drilldown of index=_internal $instance$ will work, as long as "instance" is a column name in the health check search.

Most likely, you want a drilldown search of the search you just ran. In that case, replace $rest_scope$ or $hist_scope$ with $instance$, where instance is a column name in the health check search. For example:

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »